Radware DefensePro IPS & Behavioral protection: Specification Sheet

Page 1

DefensePro IPS and Behavioral Protection

Technical Product Information

Product Models

DefensePro x412 Series

Designed for large data centers protection deployed by large enterprises, eCommerce and service providers Models:

DefensePro 12412 (up to 12Gbps)

DefensePro 8412 (up to 8Gbps)

DefensePro 4412 (up to 4Gbps)

Upgrade options are available from model 4412 and up to 12412 DefensePro x016 Series

Designed for medium sized data centers protection deployed by large enterprises, eCommerce and service providers Models:

DefensePro 3016 (up to 3Gbps)

DefensePro 2016 (up to 2Gbps)

DefensePro 1016 (up to 1Gbps)

Upgrade options are available from model 1016 and up to 3016 DefensePro x06 Series

Designed for small to medium sized data centers protection and Internet Gateway Models:

DefensePro 2006 (up to 2Gbps)

DefensePro 1006 (up to 1Gbps)

DefensePro 506 (up to 500Mbps)

Upgrade options are available from model 506 and up to 2006

Radware DefensePro IPS & Behavioral protection: Specification Sheet

Page 2

Product Features

Feature Protections

Network Wide Protections

Behavioral DoS Protect against known and zero-minute DoS/DDoS flood attacks that misuse network bandwidth resources including: TCP Floods, UDP floods, ICMP floods, IGMP floods and fragmented attacks.

DNS Protection Protect DNS critical infrastructure against flood attack that misuse DNS server resources.

Malware Propagation Prevention and Anti Scanning

Prevent zero-minute malware spread by already infected hosts.

Prevents network pre-attack probes (Reconnaissance) including horizontal and vertical TCP & UDP scanning, stealth scanning and ping sweeps.

RSA FraudAction feeds

Real-time Anti-Trojan and Anti-Phishing service, targeted to fight against financial fraud, information theft and malware spread. Based on real-time reputation feeds from RSA Anti Fraud Command Center (AFCC).

Server Protections

SYN Protection Protect against any type of SYN flood attacks using advanced SYN authentication mechanisms

HTTP flood protection Protect against HTTP page flood attacks that misuse web server resources.

Server-Cracking Protection

Block brute force and dictionary attacks targeting to defeat server authentication schemes including Mail servers (SMTP, POP3, IMAP), FTP servers, SIP servers, MS-SQL and MYSQL servers.

Web sites application vulnerability scanning and hacking protection.

SIP Invite and Bye floods prevention.

Connection Limit Defend against connection based attacks such as half open SYN attacks, request attacks and full session attacks.

Vulnerability-based protections

Signature Protections Protects against known application vulnerabilities and common malware including:

Web application protection, Mail servers protection, FTP servers protection, DNS Vulnerabilities, SIP vulnerabilities, SNMP Vulnerabilities, Microsoft vulnerabilities, Worms and Viruses, Backdoors and Trojans, Cross-Site Scripting, SQL Injections, Spyware, LAN Protocol and Services Protection (RPC, NetBIOS, Telnet etc.), Generic Payloads (Remote Execution, Shellcodes).

Security updates service (SUS) - weekly updates and emergency updates.

User-defined Attack Signatures.

Stateful Inspection RFC compliance and state machine verification for various protocols including TCP, ICMP, DNS, HTTPS, SMTP, IMAP, POP3, FTP, SSH.

Stateful Operation TCP Stream Reassembly, IP Defragmentation.

SSL Attack Prevention Available for DefensePro series X16 and X412 in conjunction with AppXcel.

Bandwidth Management and Access Control

Bandwidth Management

Guarantee bandwidth per application (granular, per user or session basis).

Limit bandwidth per application.

Limit P2P protocol traffic per session.

Access Control Access Lists per IP address & protocol; Black/White Lists per IP address per feature.

Supported protocols More than 100 protocols are supported including TCP, ICMP, DNS, HTTP, HTTPS, SMTP, IMAP, POP3, FTP, Telnet, SSH, SIP, Skinny (SCCP), H.223, RTP, SNMP, MySQL, MS-SQL (TDS) and LAN-centric protocols (RPC, NetBIOS) etc. Additional protocols can be defined by the user.

Management

Alerting SNMP V1, 2C &3, Log File, Syslog, E-mail.

Forensics Attack Packet Logging, In-depth Attack Footprint Analysis, Attack Details and Statistics.

Configuration SNMP V1, 2C, 3, HTTP, HTTPS, SSH, Telnet, SOAP API, Console (user selectable).

Time Synchronization Network Time protocol (NTP)

Export Real-Time Signature information

Northbound XML interface exporting behavioral parameters such as:

Normal traffic patterns.

Attacks real-time signatures of ongoing DoS/DDoS attacks and malware propagation and anti scanning.

Radware DefensePro IPS & Behavioral protection: Specification Sheet

Page 3

Product Specifications

DefensePro Model 506 IPS & Behavioral Protection

1006 IPS & Behavioral Protection

2006 IPS & Behavioral Protection

1016 IPS & Behavioral Protection

2016 IPS & Behavioral Protection

3016 IPS & Behavioral Protection

4412 IPS & Behavioral Protection

8412 IPS & Behavioral Protection

12412 IPS & Behavioral Protection

Network Location Perimeter Core Network Core Network

Hardware Platform OnDemand Switch VL OnDemand Switch 2S1; Dual PS option is: OnDemand Switch 2S2

On Demand Switch 3S2

Performance1

Capacity2 500Mbps 1GMbps 2Gbps 1Gbps 2Gbps 4Gbps 4Gbps 8Gbps 14Gbps

Throughput3 500Mbps 1GMbps 2Gbps 1Gbps 2Gbps 3.6Gbps 4Gbps 8Gbps 12Gbps

Max Concurrent Sessions

2,000,000 2,000,000 2,000,000 2,000,000 2,000,000 2,000,000 4,000,000 4,000,000 4,000,000

Maximum DDoS Flood Attack Prevention Rate

1,000,000 packets per second

1,000,000 packets per second

1,000,000 packets per second

5,000,000 packets per second

5,000,000 packets per second

5,000,000 packets per second

10,000,000 packets per second

10,000,000 packets per second

10,000,000 packets per second

Latency < 60 micro seconds < 60 micro seconds < 60 micro seconds

Real time signatures

Detect and protect attacks in less than 18 seconds

Detect and protect attacks in less than 18 seconds

Detect and protect attacks in less than 18 seconds

Inspection Ports

10/100/1000 Copper Ethernet

4 4 4 12 12 12 8 8 8

GE (SFP) 2 2 2 4 4 4 4 4 4

10GE (XFP) - - - - - - 4 4 4

Management Ports

10/100/1000 Copper Ethernet

2 2 2 2 2 2 2 2 2

RS-232 1 1 1 1 1 1 1 1 1

Operation Mode Network Operation Transparent L2 Forwarding

Deployment Modes

In-line; SPAN Port Monitoring; Copy Port Monitoring; local out-of-path; Out-of-path mitigation (scrubbing center solution)

Tunneling protocols support

VLAN Tagging, L2TP, MPLS, GRE, GTP

IPv6 Support IPv6 networks and block IPv6 attacks

Policy Action Block & Report, Report Only

Block Actions Drop packet, reset (source, destination, both), suspend (source, src port, destination, dest port or any combination), Challenge-Response for HTTP and DNS attacks

High Availability

Fail-open / fail-close

Internal fail-open/fail-close for copper ports; internal fail-close for SFP ports; optional fail-open for SFP

ports4

Internal fail-open/fail-close for copper ports; internal fail-close for SFP ports;

optional fail-open for SFP ports5

Internal fail-open/fail-close for copper ports; internal fail-close for SFP and XFP ports; optional fail-open for SFP

and XFP ports6

Dual Power No No No Optional Optional Optional Yes – hot Yes – hot Yes – hot

1 Actual performance figures may change per network configuration, traffic type, etc.

2 Capacity is measured as maximum traffic forwarding when no security profiles are configured.

3 Throughput is measured with behavioral IPS protections and signature IPS protections using eCommerce protection

profile. 4 External fiber fail-open switch with SFP ports is available at additional cost. 5 External fiber fail-open switch with SFP ports is available at additional cost. 6 External fiber fail-open switches with SFP or XFP ports are available at additional cost.

Radware DefensePro IPS & Behavioral protection: Specification Sheet

Page 4

Supply swappable swappable swappable

Advanced internal overload mechanism

7

Yes Yes Yes Yes Yes Yes Yes Yes Yes

Active-Passive cluster

Yes Yes Yes Yes Yes Yes Yes Yes Yes

Physical

Dimensions (W x D x H) mm

424x457x44 424x600x44 (1U) Dual PS option: 424x600x88 (2U)

424x600x88

Weight (lb, kg) 15.8, 7.2 20.9, 9.5 Dual PS option is 24.0, 10.9

39.0, 18.0

Power Supply Auto range: 100V-120V/200V-240V AC 47-63Hz or 38-72VDC

Auto range: 100V-120V/200V-240V AC 50-60Hz or 38-72VDC

Auto range: 100V-120V/200V-240V AC 50-60Hz or 38-72VDC

Power Consumption

128W 302W Dual PS option is 312W

476W

Heat Dissipation (BTU/h)

436.5 1029 Dual PS option is 1064

1623

Operating Temperature

0-40C

Humidity (non-condensing)

5% to 95%

Safety Certifications

EN 60950-1:2006, CB - IEC 60950-1, cTUVus

EN, UL, CSA, IEC #60950-1

EMC EN 55022, EN 55024, FCC Part 15B Class A

EN 55022, EN 55024, FCC Part 15B Class A

Other Certifications

CE, FCC, VCCI, CB, TUV, UL/cUL, CCC, C-Tick, RoHS

CE, FCC, VCCI, CB, TUV, UL/cUL, CCC, C-Tick, RoHS

Warranty 1-year hardware and software maintenance

Support Certainty Support Program

Patent protected behavioral analysis technology

Radware DefensePro has been successfully awarded multiple United States patents based on real-time signatures, which protect and secure applications and network traffic. DefensePro technology is protected by the following patents:

Patent No. 7,607,170 “Stateful Attack Protection”

Patent No. 7,617,170 “Generated Anomaly Pattern for HTTP Flood Protection”

Patent No. 7,624,084 “Method for Generating Anomaly Pattern for HTTP Flood Protection”

Patent No. 7,681,235 “Dynamic network protection”

Patent No. 7,836,496 “Dynamic network protection II”

Patent No. 11/869,067 “Automatic Signature Propagation Network”

Patent No. 11/835,503 “Method, system and computer program product for preventing sip attacks”

Specifications subject to change without notice.

7 Overload mechanism is designed to obtain maximum security coverage under extreme traffic loads.